Hacker Read

ptx · 2023-06-26 09:31:53

> We think the issue might not be severe enough [...]

It might not? In other words, if a security vulnerability is reported, assume everything is actually fine until proven exploitable beyond any shadow of a doubt?

reply

neilv | karma 22736 | avg karma 4.25 · | 2022-05-26 02:00:45

> All the really bad security vulnerabilities were obvious.

All the really bad security vulnerabilities that were found were obvious?

One is more likely to find things that are obvious?

reply

beefhash | karma 6083 | avg karma 7.35 · | 2019-02-26 16:40:50+00:00

> If security is a concern

At the risk of being presumptuous... When is security ever not a concern?

reply

nathantotten | karma 860 | avg karma 5.89 · | 2018-05-01 19:19:23+00:00

> it is not necessarily

Sure, but labeling a site as “Possibly not secure” wouldn’t be a very effective way of communicating the risks to users.

reply

sukilot | karma 2382 | avg karma 1.24 · | 2020-08-18 08:03:37

> That is probably based on the idea that any local attack is going to end up being a complete compromise of the end point ... which is not an unreasonable assumption.

It's absolutely unreasonable.

If my endpoint is compromised, should I assume my key is potentially violated, and so change it? Yes

But should I assume that everything in my life is tainted and therefore pre-emptively expose all my secrets to attackers immediately? Of course not.

reply

Havoc | karma 16454 | avg karma 2.29 · | 2022-03-04 11:17:20

>and not breached

Bit of an ideal conditions assumption.

If security isn’t breached then you by definition don’t have a security issue

reply

carterehsmith | karma 502 | avg karma 1.06 · | 2019-09-06 21:02:52+00:00

>> We always have to assume worst case for security vulnerabilities, it's kind of the whole job of being a security researcher to determine what could have happened.

Many people will be annoyed by this "assume the worst" drama.

For example, drinking too much water, if we assume the worst, can kill you.

Also, walking around can kill you, if we assume the worst.

Also, just being around can kill you, if we assume the worst, hey, you could die of a stroke.

So, how is this "assume the worst" statement useful?

reply

afavour | karma 16680 | avg karma 6.11 · | 2024-01-11 11:16:47

> You're offering hypothetical, worst-case whataboutisms

Otherwise known as “security”, yes

reply

DanBC | karma 56529 | avg karma 2.13 · | 2014-08-15 16:43:46+00:00

> I don't understand what would make someone think that possibly-compromised security is worse than no security.

False sense of security - you think your communications are secure but they're not.

reply

metronome | karma 19 | avg karma 6.33 · | 2011-06-15 11:53:28+00:00

"When a site is brought down, it is often vulnerable to further security breaches."

what? I'd say it's just the other way around

reply

nikanj | karma 10866 | avg karma 4.23 · | 2018-05-17 18:25:45+00:00

"If it says Not Secure, it's definitely not secure. If it doesn't say that, it's probably not secure anyway."

jsjohnst | karma 5630 | avg karma 1.54 · | 2022-04-18 07:46:42

> when can you claim something as secure?

here’s a maybe wild take, uh, never?

reply

noizejoy | karma 1430 | avg karma 2.47 · | 2024-02-01 16:18:32

> We already assume the network is insecure.

Maybe naively, I wish this assumption became universal.

reply

TazeTSchnitzel | karma 26116 | avg karma 2.81 · | 2015-04-19 10:13:59+00:00

Yeah. Don't say:

  This plane has <security vulnerability> ... shall we play with it and do <bad thing>?

It's just asking for trouble.

On the other hand, maybe this would go down better:

  Oh god, this plane has <security vulnerability>. That does not make me feel safe. What if someone did <bad thing>? D:

tptacek | karma 394296 | avg karma 6.04 · | 2015-05-13 01:18:20

Yup.

"This almost certainly doesn’t have any security impact, but I’m happy(ish) to be proved wrong."

There's a few words I'd remove from that sentence, I guess.

reply

forapurpose | karma 2663 | avg karma 1.23 · | 2018-03-21 18:21:19+00:00

> you can be certain

To be precise: If it works as described, it makes it (a little? substantially? orders of magnitude?) more difficult for third parties to modify the code.

"Certain" is not a word used in security, IME.

reply

panda-giddiness | karma 863 | avg karma 6.49 · | 2021-01-05 20:57:07+00:00

> How is that the most reasonable approach?

The reasonable approach is to be overly cautious. A false sense of security is worse than no security at all.

reply

GSimon | karma 140 | avg karma 2.59 · | 2015-04-12 23:14:55

> No, he means what do you find unusual about it

> It seems like a big security hole.

reply

insanitybit | karma 4243 | avg karma 2.69 · | 2023-09-29 12:33:31

> When you consider the potential implications, and possible scenarios, from a security perspective you have to assume that they're not just "possible" but a reality.

No you don't. You definitely don't want to assume otherwise and you spend the time derisking and investigating, but if you have zero evidence to support the situation you don't just consider it the case anyways.

reply

dandare | karma 4553 | avg karma 3.89 · | 2017-02-24 05:54:14

They admit they do not have enough information to determine the cause, yet they suggest there is little security risk. They can either not know or not know, but not both at the same time.

At least that is how I understand the statement.

reply